Add AWS auth metadata changes to upgrade guide (#8887)
* add aws auth metadata changes to upgrade guide
This commit is contained in:
parent
5d1b7e38e6
commit
62d266e9b7
|
@ -385,6 +385,7 @@ export default [
|
|||
'upgrade-to-1.3.2',
|
||||
'upgrade-to-1.3.3',
|
||||
'upgrade-to-1.3.4',
|
||||
'upgrade-to-1.3.5',
|
||||
'upgrade-to-1.4.0'
|
||||
]
|
||||
},
|
||||
|
|
15
website/pages/docs/upgrading/upgrade-to-1.3.5.mdx
Normal file
15
website/pages/docs/upgrading/upgrade-to-1.3.5.mdx
Normal file
|
@ -0,0 +1,15 @@
|
|||
---
|
||||
layout: docs
|
||||
page_title: Upgrading to Vault 1.3.5 - Guides
|
||||
sidebar_title: Upgrade to 1.3.5
|
||||
description: |-
|
||||
This page contains the list of deprecations and important or breaking changes
|
||||
for Vault 1.3.5. Please read it carefully.
|
||||
---
|
||||
|
||||
# Overview
|
||||
|
||||
This page contains the list of deprecations and important or breaking changes
|
||||
for Vault 1.3.4 compared to 1.3.5. Please read it carefully.
|
||||
|
||||
@include 'partials/aws-auth-metadata-fix.mdx'
|
35
website/pages/partials/aws-auth-metadata-fix.mdx
Normal file
35
website/pages/partials/aws-auth-metadata-fix.mdx
Normal file
|
@ -0,0 +1,35 @@
|
|||
## The AWS Auth Engine
|
||||
|
||||
Users of the AWS Auth Engine may notice less metadata in their audit logs
|
||||
and associated with the aliases generated by logging in. This is because
|
||||
we corrected a regression where more metadata had been added by default,
|
||||
causing a performance impact for some users at scale.
|
||||
|
||||
Now, in the `/auth/aws/config/identity` endpoint, we have added the following fields:
|
||||
|
||||
- `iam_metadata` `(string: "default")` - The metadata to include on the token
|
||||
returned by the `login` endpoint. This metadata will be added to both audit logs,
|
||||
and on the `iam_alias`. By default, it includes `account_id` and `auth_type`.
|
||||
Additionally, `canonical_arn`, `client_arn`, `client_user_id`, `inferred_aws_region`,
|
||||
`inferred_entity_id`, and `inferred_entity_type` are available. To include no metadata,
|
||||
set to `""` via the CLI or `[]` via the API. To use only particular fields, select
|
||||
the explicit fields. To restore to defaults, send only a field of `default`.
|
||||
**Only select fields that will have a low rate of change** for your `iam_alias` because
|
||||
each change triggers a storage write and can have a performance impact at scale.
|
||||
- `ec2_metadata` `(string: "default")` - The metadata to include on the token
|
||||
returned by the `login` endpoint. This metadata will be added to both audit logs,
|
||||
and on the `ec2_alias`. By default, it includes `account_id` and `auth_type`.
|
||||
Additionally, `ami_id`, `instance_id`, and `region`, are available. To include no metadata,
|
||||
set to `""` via the CLI or `[]` via the API. To use only particular fields, select
|
||||
the explicit fields. To restore to defaults, send only a field of `default`.
|
||||
**Only select fields that will have a low rate of change** for your `ec2_alias` because
|
||||
each change triggers a storage write and can have a performance impact at scale.
|
||||
|
||||
At the `/auth/aws/config/identity` endpoint, if the `iam_alias` and `ec2_alias` are unset,
|
||||
the `role_id` used for login is the default alias used for auth metadata. Thus, the defaults
|
||||
selected for the `iam_metadata` and `ec2_metadata` are fields that would have a low rate of
|
||||
change for _those_ aliases.
|
||||
|
||||
This was selected because it will cover _most_ use cases. However, the AWS Auth Engine
|
||||
has many use cases, so please do configure the aliases and metadata that makes sense for
|
||||
your organization.
|
Loading…
Reference in a new issue